3 files changed, 93 insertions, 40 deletions

diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go
index b2d427b4..c1d49f66 100644
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@@ -19,6 +19,7 @@ type AuthenticationForm struct {
 	BindDN            string `form:"bind_dn"`
 	BindPassword      string
 	UserBase          string
+	UserDN            string `form:"user_dn"`
 	AttributeName     string
 	AttributeSurname  string
 	AttributeMail     string
diff --git a/modules/auth/ldap/README.md b/modules/auth/ldap/README.md
index 9a2a6aa1..3a3e0204 100644
--- a/modules/auth/ldap/README.md
+++ b/modules/auth/ldap/README.md
@@ -4,61 +4,98 @@ Gogs LDAP Authentication Module
 ## About
 
 This authentication module attempts to authorize and authenticate a user
-against an LDAP server. Like most LDAP authentication systems, this module does
-this in two steps. First, it queries the LDAP server using a Bind DN and
-searches for the user that is attempting to sign in. If the user is found, the
-module attempts to bind to the server using the user's supplied credentials. If
-this succeeds, the user has been authenticated, and his account information is
-retrieved and passed to the Gogs login infrastructure.
+against an LDAP server. It provides two methods of authentication: LDAP via
+BindDN, and LDAP simple authentication.
+
+LDAP via BindDN functions like most LDAP authentication systems. First, it
+queries the LDAP server using a Bind DN and searches for the user that is
+attempting to sign in. If the user is found, the module attempts to bind to the
+server using the user's supplied credentials. If this succeeds, the user has
+been authenticated, and his account information is retrieved and passed to the
+Gogs login infrastructure.
+
+LDAP simple authentication does not utilize a Bind DN. Instead, it binds
+directly with the LDAP server using the user's supplied credentials. If the bind
+succeeds and no filter rules out the user, the user is authenticated.
+
+LDAP via BindDN is recommended for most users. By using a Bind DN, the server
+can perform authorization by restricting which entries the Bind DN account can
+read. Further, using a Bind DN with reduced permissions can reduce security risk
+in the face of application bugs.
 
 ## Usage
 
 To use this module, add an LDAP authentication source via the Authentications
-section in the admin panel. The fields should be set as follows:
+section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP
+share the following fields:
 
 * Authorization Name **(required)**
-	* A name to assign to the new method of authorization.
+    * A name to assign to the new method of authorization.
 
 * Host **(required)**
-	* The address where the LDAP server can be reached.
-	* Example: mydomain.com
+    * The address where the LDAP server can be reached.
+    * Example: mydomain.com
 
 * Port **(required)**
-	* The port to use when connecting to the server.
-	* Example: 636
+    * The port to use when connecting to the server.
+    * Example: 636
 
 * Enable TLS Encryption (optional)
-	* Whether to use TLS when connecting to the LDAP server.
+    * Whether to use TLS when connecting to the LDAP server.
+
+* Admin Filter (optional)
+    * An LDAP filter specifying if a user should be given administrator
+      privileges. If a user accounts passes the filter, the user will be
+      privileged as an administrator.
+    * Example: (objectClass=adminAccount)
+
+* First name attribute (optional)
+    * The attribute of the user's LDAP record containing the user's first name.
+      This will be used to populate their account information.
+    * Example: givenName
+
+* Surname attribute (optional)
+    * The attribute of the user's LDAP record containing the user's surname This
+      will be used to populate their account information.
+    * Example: sn
+
+* E-mail attribute **(required)**
+    * The attribute of the user's LDAP record containing the user's email
+      address. This will be used to populate their account information.
+    * Example: mail
+
+**LDAP via BindDN** adds the following fields:
 
 * Bind DN (optional)
-	* The DN to bind to the LDAP server with when searching for the user.
-	This may be left blank to perform an anonymous search.
-	* Example: cn=Search,dc=mydomain,dc=com
+    * The DN to bind to the LDAP server with when searching for the user. This
+      may be left blank to perform an anonymous search.
+    * Example: cn=Search,dc=mydomain,dc=com
 
 * Bind Password (optional)
-	* The password for the Bind DN specified above, if any.
+    * The password for the Bind DN specified above, if any. _Note: The password
+      is stored in plaintext at the server. As such, ensure that your Bind DN
+      has as few privileges as possible._
 
 * User Search Base **(required)**
-	* The LDAP base at which user accounts will be searched for.
-	* Example: ou=Users,dc=mydomain,dc=com
+    * The LDAP base at which user accounts will be searched for.
+    * Example: ou=Users,dc=mydomain,dc=com
 
 * User Filter **(required)**
-	* An LDAP filter declaring how to find the user record that is attempting
-	to authenticate. The '%s' matching parameter will be substituted with
-	the user's username.
-	* Example: (&(objectClass=posixAccount)(uid=%s))
+    * An LDAP filter declaring how to find the user record that is attempting to
+      authenticate. The '%s' matching parameter will be substituted with the
+      user's username.
+    * Example: (&(objectClass=posixAccount)(uid=%s))
 
-* First name attribute (optional)
-	* The attribute of the user's LDAP record containing the user's first
-	name. This will be used to populate their account information.
-	* Example: givenName
+**LDAP using simple auth** adds the following fields:
 
-* Surname name attribute (optional)
-	* The attribute of the user's LDAP record containing the user's surname
-	This will be used to populate their account information.
-	* Example: sn
+* User DN **(required)**
+    * A template to use as the user's DN. The `%s` matching parameter will be
+      substituted with the user's username.
+    * Example: cn=%s,ou=Users,dc=mydomain,dc=com
+    * Example: uid=%s,ou=Users,dc=mydomain,dc=com
 
-* E-mail attribute **(required)**
-	* The attribute of the user's LDAP record containing the user's email
-	address. This will be used to populate their account information.
-	* Example: mail
+* User Filter **(required)**
+    * An LDAP filter declaring when a user should be allowed to log in. The `%s`
+      matching parameter will be substituted with the user's username.
+    * Example: (&(objectClass=posixAccount)(cn=%s))
+    * Example: (&(objectClass=posixAccount)(uid=%s))
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index de1108fd..61cfca90 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -22,6 +22,7 @@ type Ldapsource struct {
 	BindDN           string // DN to bind with
 	BindPassword     string // Bind DN password
 	UserBase         string // Base search path for users
+	UserDN           string // Template for the DN of the user for simple auth
 	AttributeName    string // First name attribute
 	AttributeSurname string // Surname attribute
 	AttributeMail    string // E-mail attribute
@@ -78,10 +79,19 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) {
 }
 
 // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
-func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) {
-	userDN, found := ls.FindUserDN(name)
-	if !found {
-		return "", "", "", false, false
+func (ls Ldapsource) SearchEntry(name, passwd string, directBind bool) (string, string, string, bool, bool) {
+	var userDN string
+	if directBind {
+		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
+		userDN = fmt.Sprintf(ls.UserDN, name)
+	} else {
+		log.Trace("LDAP will use BindDN.")
+
+		var found bool
+		userDN, found = ls.FindUserDN(name)
+		if !found {
+			return "", "", "", false, false
+		}
 	}
 
 	l, err := ldapDial(ls)
@@ -112,7 +122,12 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
 		return "", "", "", false, false
 	} else if len(sr.Entries) < 1 {
-		log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
+		if directBind {
+			log.Error(4, "User filter inhibited user login.")
+		} else {
+			log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
+		}
+
 		return "", "", "", false, false
 	}